As anyone who even casually watches the nightly news can tell you, breaches of customer and corporate data can cause serious financial, legal, and reputational harm to a company. But, for energy companies that own and operate physical assets that comprise the nation’s power grid, understanding and complying with the federal government’s complex and constantly evolving cyber regulations for the energy industry is part of a larger effort to prevent cyber attacks that could cause devastating power disruptions. A recent report from Lloyd’s suggested that the economic havoc resulting from a cyber attack on the grid could exceed $1 trillion.
The complexity and sheer size of the U.S. electric grid make it vulnerable to threats from a variety of potential bad actors, including hacktivists, cyber criminals, terrorists, nation states, or even disgruntled employees. There also is mounting evidence that the nation’s electric system is being targeted with increased frequency.
The Department of Homeland Security repeatedly has identified the energy sector as the most heavily targeted sector of our country’s critical infrastructure; a June 2015 Congressional Research Service report chronicled a number of recent attacks; and a recent USA Today analysis of federal records revealed that the grid is struck by either a physical or cyber attack approximately once every four days.
Energy regulators have taken note, and are looking to update the rules that energy companies must follow to protect the country’s electric system. In July, the Federal Energy Regulatory Commission or “FERC” proposed its latest set of revisions to its Critical Infrastructure Protection or “CIP” regulations for the power grid. The CIP regulations, first adopted in 2008 and repeatedly revised since then, cover issues such as personnel and training, physical and network security, and incident reporting and disaster recovery. The North American Electric Reliability Corporation or “NERC” (a quasi-governmental entity charged with ensuring the reliable operation of the grid) has been delegated authority from FERC to monitor and enforce compliance with the CIP regulations.
The newly proposed CIP revisions—the sixth version since 2008—will update the current standards for Security Management Controls, Personnel and Training, Physical Security for Cyber Systems, Systems Security Management, and Recovery Plans. The proposed revisions also update two standards that have not even taken effect under the current version of the CIP, Configuration Change Management/Vulnerability Assessments and Information Protection, thereby highlighting the rapid pace at which the standards are modified. The need for an ever-evolving set of cyber regulations for the grid recently was noted by FERC Commissioner Cheryl LaFleur: “The work that NERC, the industry, and the Commission do on cybersecurity must obviously continually evolve to meet the changing nature of the cybersecurity threat, which we all see in the news practically daily. Understanding the evolving threats and how best to response to them is of critical importance.”
Taken as a whole, the proposed CIP revisions are intended to address gaps in the regulations previously identified by FERC. For example, FERC had recognized the need to limit the risks posed by transient devices such as laptops and removable media such as flash drives, which have introduced malware into industrial control systems. In response to that concern, the CIP revisions require covered entities to (1) develop plans and implement cybersecurity controls to protect transient devices and removable media and (2) train personnel on the risks associated with using them.
Additionally, FERC has directed NERC to develop a Supply Chain Management standard designed to ensure that the hardware, software, and computing services provided by a company’s third party vendors are secure before they are integrated into its cyber system. In issuing this directive, FERC recognized that adversaries have targeted the vendors that serve the energy sector, and a company cannot be cyber secure without instituting the appropriate supply chain controls: “This new type of malware campaign is based on the injection of malware while a product or service remains in the control of the hardware or software vendor, prior to delivery to the customer.”
Interested parties have the opportunity to weigh in on the proposed CIP revisions. Comments are due by September 21, 2015.